Massive Ransomware Attack

Massive Ransomware Attack

Introduction

The ransomware, as we may have heard, was spreading using an exploit disclosed from NSA records by the Shadow Brokers last month. It had the potential to spread quickly and far, as it in fact did, and in doing so attract the attention of IT people who would want to contain and study it. The ransomware wanted to avoid activating itself in an environment like this, so it was designed to ping a certain unregistered domain — say, afn38sj729.com — and if it returns anything but a DNS error, chances are that its traffic is being manipulated, so it shuts down to avoid further analysis.

The security researcher, on seeing that the ransomware called out to this unregistered domain, immediately registered it so they could monitor the traffic; they could — producing the map above. They thought it would just help track it’s spreading, but in fact by registering that domain they effectively killed the whole attack. Because now when the code pinged that domain, it returned that it was registered, and therefore the ransomware would never activate itself! They’d pulled the plug and didn’t even realize it.

 

Massive Attack (Ransomware)

Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday (May 13, 2017), making it one of the broadest and most damaging cyberattacks in history.

Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firmss like Fedex (FDX) also reported they had come under assault.

While Microsoft quickly issued fixes for the latest versions of Windows last month, this left Windows XP unprotected. Many of the machines attacked today have been breached simply because the latest Windows updates have not been applied quickly enough, but there are still organizations that continue to run Windows XP despite the risks. Microsoft is now taking what it describes as a “highly unusual” step to provide public patches for Windows operating systems that are in custom support only. This includes specific fixes for Windows XP, Windows 8, and Windows Server 2003.

The unprecedented attacks, using software called WanaCrypt0r 2.0 or WannaCry, exploits vulnerability in Windows. Microsoft released a patch – a software update that fixes the problem – for the flaw in March, but computers that had not installed the security update were vulnerable.

It is not known how many computers across the NHS today are still using Windows XP or recent variants Windows 8 and Windows 10. “Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” explains Phillip Misner, a security group manager at Microsoft. “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only.”

About 40 NHS organisations are though to have been affected by Friday’s bug, which was released the day after a doctor warned that NHS hospitals needed to be prepared for an incident precisely of the kind seen.

“Many organizations, especially large corporations, use proxies and block direct Internet connections,” said Didier Stevens, a Belgian security researcher and handler at the Internet Storm Center who found that those who use proxy servers might still be affected.

“In fact, 97 percent of the NHS trusts and hospitals and doctors are working as normal,” said British Interior Minister Amber Rudd after chairing the U.K. government’s crisis response team. “So the response has in fact been very good and that is due to the good work of the staff and the resilience that was already put in place.”

According to Rudd, 48 of 248 health service organizations went dark because of the cyberattack. Only six “have some limits on their business,” she added.

The cyberattack took control of any computer it infected and encrypted the information on it. It then demand a $300 payment to be made via Bitcoin in order for the user to regain access. More than 20 British hospitals and major institutions — including Nissan, FedEx, Russia’s Interior Ministry and German railway stations — were reportedly affected by the attack.

Kaspersky Lab, a cybersecurity company based in Moscow, estimated that 45,000 attacks had been carried out in 99 countries, mostly in Russia. In a blogpost, it added that the totals could be “much, much higher”.

In the UK, computers in hospitals and GP surgeries simultaneously received a pop-up message demanding a ransom in exchange for access to the PCs. The ransomware’s code makes it pretty clear that it’s taking advantage of an exploit called EternalBlue, published in April by the Shadow Brokers but patched preemptively by Microsoft in March.

A bitcoin wallet reportedly used by the ransomers shows numerous incoming transactions of between 0.15 and 0.3 BTC, worth around $250-$500 today, so at least a few of those infected have opted to pay rather than attempt to extricate their data safely or do a full wipe and rollback.